Migrating firewalls to the next generation

Steven McGhie at Systal explores what can make a firewall migration successful, what can make it unsuccessful, and what to expect on a journey that will ultimately improve a business’s security posture

 

Today’s cyber-security challenges require the newest and most secure features offered by next Generation Firewalls (NGFs). With these NGFs, businesses know they are protected from both zero-day threats and denial of service attacks.

 

The process of upgrading and installing NGFs in the first place, however, can prove challenging, and it is vital that the complexity of the migration is managed. To get the most out of the migration, teams must have a close understanding of the technology and plan for the migration, choose the correct tools, test to validate and closely monitor desired outcomes.

 

This article will layout the steps to properly executing a complex firewall migration.

 

One: Preparing for the migration

The first step in preparing is to understand the technology being migrated, what the specific objectives of the migration are, and all the differences between the old and new setups. You should audit the current firewall collaboratively, assessing the physical and logical topology being migrated, establishing an understanding of the objects and rules and which are unnecessary and can be removed to simplify the process, and identifying alternative routes traffic could take during the change freeze and migration.

 

To understand the objectives of the migration, establish the specific threats facing a system by reviewing security logs for information on threats to date, conducting a thorough risk assessment and vulnerability scanning, and performing penetration testing to catch vulnerabilities which may not have been picked up by scans.

 

Crucially, gaining a full picture of the differences between the old system being migrated and the new one means engaging with the vendor, including reviewing provided documentation, utilising the vendor’s training, and engaging their support services. The purpose of these exercises is to understand what the specific process at hand will look like, making all pathways available for a pain-free migration.

 

Two: Getting configuration and migration tools right 

Using appropriate migration tools is another vital preparatory step before executing migration. Manually migrating large rule bases is time consuming and therefore disruptive to the network and services, and increases the chance of human error. Choosing the correct tools to allow this process to happen seamlessly, and ideally automatically, saves the migration team from getting deep into the weeds of a drawn-out manual migration.

 

Tools offered by the vendor have certain guarantees, offering a more seamless process, as well as ongoing support and updates once the migration is complete. It’s also vital to get the configuration correct. Incorrect configurations can disrupt services and, more importantly, leave organisations vulnerable to attacks and breaching network security standards. Address all differences in the converted configuration for differences, paying close attention to how different vendors handle zones, interzones roles, NAT, and protocols like ICMP.

 

Three: Testing and performance

Successfully executing a migration means completing all the tests necessary to verify the success criteria – in other words that all desired outcomes have been validated. Defining success criteria and selecting the tests to prove it provides a concrete measure of this, creates a framework for detecting issues as early as possible, and builds trust in the migration, as well as providing invaluable information for future improvements.

 

Typically, the migration team conducts technical tests confirming data can travel through the network as intended by checking routing adjacencies, ensuring that the physical and logical connections are functioning by checking ports for errors, checking the firewall’s ability to switch to a backup system in case of failure, and monitoring the network paths, as well as simulating failure scenarios.

 

Meanwhile the customer conducts application specific tests, validating their performance, connectivity, and security, including from an end user’s perspective. 

 

With these tests and desired outcomes established, the migration can be executed. Just in case, a rollback plan is also prepared in advance as a last resort, in case any critical and unresolvable issues arise which mean the migration must be reversed. A change freeze is implemented to set up for the migration, which then happens during a maintenance window. In the cutover, traffic is routed from the old firewall to the new firewall. Testing is conducted during and after the migration to verify that the firewall is functioning as intended. Assuming there are no major disruptions, the migration has taken place.

Four: Post-migration and optimisation

Immediately after the cutover traffic analysis, log review, and performance metrics monitoring are essential to detect any issues. Setting automatic alerts are vital to catching and observing any attacks during this time. Issue resolution then happens as soon as possible, and detailed records are kept. The hyper care period involves higher than normal attention to issues and performance and having a knowledgeable dedicated support team on hand to resolve issues in order of priority. 

 

As well as testing for issues, this period is an opportunity to optimise the new firewall for the customer based on their established needs. Data collected during testing can be used to identify areas of improvement and identify gains that can be made in efficiency and by utilising advanced features.

 

The benefits of a complex firewall migration

With the migration complete, customers can enjoy advanced features that Next Generation Firewalls are able to provide, including Zero-Day protection, proactive security, activity monitoring and access control for increased user visibility, cloud service integration, and defence against advanced threats and threat intelligence. All of these significantly enhance network security, improve operational efficiency, and reduce the risk of cyber-threats.

 

---

 

Steven McGhie is Principal Network Architect at Systal 

 

Main image courtesy of iStockPhoto.com and Vertigo3d